Does a Splunk forwarder need to be installed a on ...

cipherboy123 · ‎11-04-2019

Do I need to install a Splunk forwarder on a Splunk server to ingest its own logs?
Or does the server automatically grab its own logs?

edgarsilva01 · ‎11-05-2019

No, if you want to monitor logs that live on the server where you have splunk installed it is not necessary to install the forwarder.
See a "configuration" "add data" "Monitor" and see the different options of how you can monitor the records.

Optional use "Local event logs" or "Files and directories" for this option you need the path where the logs you want to monitor are stored.

Regards

woodcock · ‎11-04-2019

By default, Splunk splunks it's own Splunky junk, HOWEVER, it does not by default send to Indexers, which is very important to make happen for your Search Heads, DSs, MCs, CMs, Deployers and all other non-Indexer Splunk nodes.

adonio · ‎11-04-2019

no you dont need to install the forwarder where the splunk server is
configure your inputs as you see fit locally
read all the way through dos here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Getstartedwithgettingdatain

jacobpevans · ‎11-04-2019

It automatically ingests its own logs. Run a search for:

index=_* host=[your_splunk_host]

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

cipherboy123 · ‎11-04-2019

Thanks, I searched my localhost through the dashboard but there were no longs that appeared from the host.

Does a Splunk forwarder need to be installed a on a Splunk server to ingest its own logs? Or does the server automatically grab its own logs?

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector